The HeartBleed Bug: Our advice to you

We received several questions about what you should do to protect your accounts in light of the Heartbleed bug, and we want to offer our advice on the best course of action given the situation.

First, as we mentioned in yesterday’s post, we want you to know that your Dashlane data is safe:

Your Dashlane accounts are not impacted by this flaw

Your Master Passwords are safe as they are never transmitted

Your personal data when transmitted is always ciphered locally with AES 256, which is not affected by the Heartbleed vulnerability

The Heartbleed bug has put millions of websites at risk, allowing an intruder to undetectably intercept data between you and the websites you use. The keyword here is undetectably – it’s impossible to know if a site that was affected by Heartbleed was in fact exploited. All we can know is which sites were at risk.

Checking sites that were at risk and are now fixed

A lot of you have asked if we’ll be using a checker to push alerts for the sites that were affected. We’ve tested these checkers ourselves. The ones that we’ve seen provide some guidance as to which sites you should update – but they’re not 100% accurate.

Errors with these checkers are on the rise as websites are taking measures to close the connections when they detect them. When they’re not being blocked, these checkers will tell you when a site has updated its SSL certificate only if the date that the new SSL certificate was employed was updated as well. But not all SSL certificate providers updated that date when they rolled out the new certificates. In short, looking at that date is not enough.

Without an accurate list of sites that were affected, we can’t intelligently alert you of the accounts whose passwords need updating. We could push alerts for all your accounts, meaning some that are okay will show as needing to be updated. That is not what this feature was designed for. It’s designed to send an alert on a per account basis. It’s too risky to push millions of alerts at once when the stability of our app is more critical than ever. Plus, that could get too annoying for you. You need to be alerted of the issue – websites are sending emails to let you know when it’s safe to update your passwords. Some sites are even logging you out of your accounts and requiring password changes. We’re also emailing you with our best advice…

Our advice to you

In an ideal world, you should change all of your passwords now and then again in 10 days when sites have patched the bug and issued new SSL certificates. In order to be as fully protected as possible, we’re in the process of emailing our users to advise the following:

Immediately change the passwords for the accounts that are most critical to you (for example, your bank, your PayPal account, your email accounts…) by generating strong unique passwords using Dashlane

Wait for an additional 10 days before changing any other passwords. You need to make sure all these sites have fixed the problem before changing your passwords

In 10 days, go back to all your critical accounts and change the passwords a second time by generating strong unique passwords using Dashlane

Then change all of the passwords of your less critical accounts in the same way.

How you can manage this process

If you’d like to manage this process on a per account basis, these checkers are useful for showing you which passwords are as safe to change when they work. For the reasons mentioned above, you now know why they’re only okay. (This one is popular.) Also, you can see when you last generated a password for an account by going to Tools > See Generated Passwords.

Managing this on a per account basis seems tedious. It’d be faster to change all your passwords, which isn’t the most fun thing any of us has ever had to do. We are in the midst of the biggest security vulnerability the Internet has ever seen. As they say, desperate times call for desperate measures. Luckily for any Dashlane user, it’s incredibly simple to change your passwords.

We hope this post helps clarify the actions we’re taking to help you stay safe on the Internet. We’ll continue to keep you updated and address your questions or concerns as the Heartbleed situation unfolds. As always, thanks for trusting your data in Dashlane.